SANS Stormcast Wednesday, March 4th, 2026: CrushFTP Brute Force; Android Patches 0-Day; 0Auth Phishing Abuse

The Stormcast highlighted a wave of credential‑guessing attacks against Crush FTP servers. Rather than exploiting a software flaw, attackers simply probe for the default admin username “crushadmin” paired with the identical password. Organizations that retain such trivial credentials expose themselves to immediate compromise, even though the product itself is not vulnerable. This incident underscores the need for enforced password policies, regular credential audits, and the removal of default accounts during deployment. Vendors can also mitigate risk by blocking commonly used passwords at the authentication layer.

April’s Android Patch Tuesday delivered updates for more than 140 vulnerabilities, with a critical fix for a Qualcomm display‑driver memory‑management flaw that is already being weaponized in the wild. The exploit allows privilege escalation and remote code execution on a wide range of devices, making timely patching essential for both consumers and enterprises. However, rollout speed varies by manufacturer and carrier, often leaving users exposed for weeks. Security teams should enforce update policies, monitor device inventories, and consider supplemental mobile‑device‑management controls to ensure patches are applied promptly.

The briefing also warned about sophisticated OAuth phishing campaigns that exploit redirect‑URI handling. Attackers embed a legitimate Microsoft OAuth endpoint in emails, then supply a malicious redirect URL that returns a counterfeit login page, tricking users into surrendering credentials and downloading malware such as the Malibar spyware suite. This technique leverages user trust in familiar Microsoft URLs and the invisibility of background redirects. In parallel, exposed Google API keys have generated unexpected tens‑of‑thousands‑dollar bills after the AI product launch, highlighting the importance of key rotation, restriction, and monitoring. Organizations should adopt proof‑key for code exchange (PKCE), enforce least‑privilege API scopes, and educate users on phishing indicators.